Authentication Requirements for OIDC
OIDC Requirements
To access DICOMweb resources on an OIDC-enabled HealthImaging datastore, a client application must be authorized by an OpenID Connect / OAuth 2.0 identity provider (IdP) and present an OAuth 2.0 Bearer token (a JWT) in the Authorization header of each request. HealthImaging validates the token using one of the integration paths you configure on the datastore and then authorizes the request by assuming an IAM role mapped to the caller.
Note
OIDC augments but does not replace SigV4. You may continue using SigV4 unchanged. OIDC is available for DICOMweb APIs only.
Configure Token Validation on the Datastore
Choose one validation path when you create (or update) a datastore:
Customer-managed Lambda authorizer (JWT)
-
Provide LambdaAuthorizerArn. HealthImaging invokes your Lambda with the incoming token; your function validates it and returns required claims plus an IAM role ARN to assume.
-
The Lambda must return within 1 second.
-
Add a resource-based policy to the function that allows invocation by HealthImaging (service principal medical-imaging.
region.amazonaws.com) and, optionally, restricts calls to your datastore ARN. -
Enabling a Lambda authorizer on an existing datastore requires an AWS Support case.
Request Format (HTTP)
Send the access token in the Authorization header:
Example of Get Operation - GetDICOMInstance
curl --request GET \
'service endpoint/datastore/datastore/studies/studies/series/series/instances/instances?imageSetId=imageSetId' \
--header "Authorization: Bearer access token" \
--header 'Accept: application/dicom; transfer-syntax=1.2.840.10008.1.2.1' \
--output 'dicom-instance.dcm' \
--fail-with-bodyRequired JWT Claims
For a DICOMweb request to succeed, the effective token/authorization payload must contain these claims:
-
exp— Expiration. The current time must be before this value. -
iat- Issued at. Must be before the current time in UTC and must NOT be earlier than 12 hours before the current time in UTC (maximum token lifetime)
